🧊 Big release for #JavaScript supply chain security: @pnpm.io 11 now defaults to a 1-day Minimum Release Age, blocks exotic subdependencies, and adds a new Allow Builds model.
A strong step toward reducing exposure to fast-moving npm attacks →
socket.dev/blog/pnpm-11... #nodejs
Is there anything else we can/should do on the client side to mitigate supply chain attacks?
The pnpm e2e tests now use a "pnpm registry" instead of verdaccio. In the future we'll make pnpm faster with this registry.
In the next version of pnpm you'll be able to run the Rust engine for fetching, importing, and linking packages.
🫡 thank you regardless, we just switched the bluesky app to pnpm and it’s like a breath of fresh air after being stuck on yarn 1 so long
I have some early benchmark results with my custom @pnpm.io registry. In different scenarios, overall install times are 2 to 7 times faster than even the already very fast pnpm in Rust. Looks promising.
Glad to see we have many new members of team "node is a dev dependency"
in times like these, I'm very happy that @sanity.io put some of our @opensourcepledge.com dollars on the good folks at @pnpm.io 🫡
(and we made it our mandated package manager internally)